The following reply was made to PR pkg/43024; it has been noted by GNATS.
From: "Michael C. Vergallen" <mvergall%telenet.be@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc:
Subject: Re: pkg/43024 (proftpd needs to be updated to 1.3.3 to fix the security
issues)
Date: Mon, 22 Mar 2010 02:15:16 +0100
Michael C. Vergallen wrote:
> The following reply was made to PR pkg/43024; it has been noted by GNATS.
>
> From: "Michael C. Vergallen" <mvergall%telenet.be@localhost>
> To: gnats-bugs%netbsd.org@localhost
> Cc:
> Subject: Re: pkg/43024 (proftpd needs to be updated to 1.3.3 to fix the
> security
> issues)
> Date: Mon, 22 Mar 2010 01:49:27 +0100
>
> kim%netbsd.org@localhost wrote:
> > Synopsis: proftpd needs to be updated to 1.3.3 to fix the security issues
> >
> > State-Changed-From-To: open->closed
> > State-Changed-By: kim%NetBSD.org@localhost
> > State-Changed-When: Sun, 21 Mar 2010 21:26:18 +0000
> > State-Changed-Why:
> > I couldn't see any security issues listed for 1.3.2c on www.proftpd.org.
> > However, I have updated the package to 1.3.3 anyway.
> >
> >
> >
> >
> >
> No the website does not mention that ... just the
> pkg-vulnerability-list does mention that and building the package on a
> system that does not have ALLOW_VULNERABLE_PACKAGES=yes does not work.
> As here on site this is not allowed I didn't have a choice but to ask
> for a bump up in version due to the patches that came with pkgsrc-2009Q4
> it was impossible to modify the package myself. (I tried to rework the
> patches when they failed but didn't succeed. The Makefile and digest
> were no problem but the patches on the package kept failing)
>
> Regards.
>
> Michael
>
>
PS See
Package proftpd-1.3.2c has a spoofing-attacks vulnerability, see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3639 for the reason it
fails to build.